Pencil Banner

# A guide to monetizing risks for security spending decisions

| April 7, 2015
Security executives routinely have to make tough decisions about which risks to mitigate, which to avoid or transfer and which to accept. Your security budget has its limits. You have a finite amount of cash to spend on people and technologies to keep your business' risk to an acceptable level, so you have to make your decisions wisely.

The process of monetizing risk requires thoughtful insight, therefore you won't want to go through this exercise for every system or network security risk that you have. Focus instead on monetizing only your higher value risks such as those that could impact a critical business asset and affect company productivity, for example. To determine the monetary value of a risk, we will need to understand the likelihood of the risk occurring as well as the impact to your business.

To determine likelihood, focus on the specific controls that your organization has in place to help reduce the effects of the risk, versus the controls that you've determined are needed to mitigate the risk. By creating a ratio of the controls in place and those we feel are needed to address the risk, we are closer to gauging the likelihood of occurrence. It's important to note that we are focusing only on the specific controls that address the given risk (we are certainly not talking about including every control within your organization). Also, some controls are more valuable than others in different situations, so weight each of them according to the scenario. When you later go through this exercise to monetize other risks, realize that both the applicable controls and their respective weights may change.

Let's say the risk you are monetizing is 'preventing a data breach' within your company's ERP (a critical business application in this example). You've identified nine specific controls that you believe satisfactorily address the risk of a data breach. For each of the controls, assign a weight from 1-10 (10 being the most valuable). During an assessment of the controls, you identified which of these are in place and which are not .

By adding the values of the controls in place (your numerator) and dividing this by the controls that are needed (denominator), the result is a risk ratio of 53/79. Next, factor in ease of exploitation, to more accurately estimate the likelihood of the risk occurring.

"Ease of exploitation" points to the difficulty a given risk is to exploit when considering the skills, time and resources needed by an attacker. These values are represented in the following illustration.

If in our ERP example, we estimate that the ease of exploitation is relatively High (.8), then our completed likelihood formula is.

The last component to plug into our risk monetization formula is impact, which is the sum of the cost of an exposure of personal data plus the lost revenue while the affected asset(s) are unavailable. By leveraging available Ponemon Institute findings, we know that the average data breach in 2014 costs \$194 per record (in the U.S.). If we assume you suffered a data breach and lost 20K personal data records, then the cost of the exposure of this information would be \$3.88M. Add to that the revenue loss you experienced while the affected asset(s) were unavailable and this is the impact calculated.